This blog is a personal book on Security/ IDM related thoughts/opinions.
The blog posts are a personal opinion only and neither reflect the views of current/past employers nor any OTHER person living/dead on this planet.

Google Site Search

Enter your search termsSubmit search form

Web

jboss.org

anil-identity.blogspot.com

Friday, May 15, 2009

Historically, JBoss AS has provided the DynamicLoginConfig service to specify your security domain configuration (JAAS login modules). Starting JBoss AS 5.0, we provide a simplified xml version of that as follows:

You will need to create a xxx-jboss-beans.xml file and then you can define your login modules as follows:===================================<?xml version="1.0" encoding="UTF-8"?>

Tuesday, May 5, 2009

Let us take a look at a particular use case that I had to inject passwords from an out of band password management scheme into POJOs. The use case was to eliminate clear text passwords from xml files in the JBoss Application Server v5.1 and beyond. Since POJOs are the norm in JBAS5.x, it was important to figure out a mechanism to inject the passwords into POJO properties in a generic/non-intrusive way. The AOP Lifecycle Callback mechanism described in the JBoss Microcontainer documentation (http://www.jboss.org/file-access/default/members/jbossmc/freezone/docs/2.0.x/userGuide/ch05.html) empowered me to achieve my use case.

The reason I used lifecycle callbacks rather than aspects is that I needed a generic way to specify the properties where the password needed to get injected and all I cared for was the password was injected when the bean was created/started and ready for use. Hence the lifecycle callbacks fitted perfectly.

A very good use case for the aspects would be if I wanted to store values in POJO properties in an encrypted manner - hence a setter would probably encrypt the data. That use case is for another day to implement.

Let us walk through my use case implementation:

Step 1: Annotation

Let us look at a POJO definition in the JBoss AS. I can take the example of the JBoss Messaging SecurityStore bean. It has a property called as "suckerPassword" that needs a password value.

/** * Name of the method * that represents the password * @return */ String methodName();}=================================

It is not a magical annotation.

The annotation in the bean definition basically lets the microcontainer apply the annotation to the bean.

Step 2: AOP Lifecycle callbacks

First, I needed to add the lifecycle elements into the security-jboss-beans.xml file since these weresecurity callbacks. In my use case, the PasswordMaskManagement bean is the one that interacts with theout of band password management system. I declare the lifecycle callback advices and then inject thepassword mask management bean into them.

Now as beans go through the MC lifecycle, the advice is applied. If the beans contain the @Password annotation, thenas you can see, we inject the password (by getting it from the PasswordMaskManagement bean).

ConclusionHere we have seen injection of passwords into beans using AOP lifecycle callbacks. JBoss AS 5.x ships with a @JndiBinding annotation that can similarly bind a POJO to JNDI. An user/developer can always inject similar behavior to beans.

To summarize, if you want to leverage the AOP lifecycles in a non-intrusive manner, you can use an annotation and an advice. Then just define them in the bean definition file xxx-jboss-beans.xml